By Joris Evers
Staff Writer, CNET News.com
October 24, 2005
SAN FRANCISCO -- A judge in a case over a high-profile data security
breach at payment processor CardSystems Solutions told parties on
Monday to stop squabbling and be productive.
San Francisco Superior Court Judge Richard Kramer told the
plaintiffs--who seek to represent classes of California consumers and
merchants--and defendants Visa and MasterCard to exchange information
about their relationship with CardSystems.
Kramer gave similar instructions a month ago, but parties in a hearing
Monday said they have been unable to agree on the type of information
that should be shared.
"You folks maybe can't agree on anything, except maybe on what day you
should be here," Kramer said.
He told Visa and MasterCard again to disclose details about their
relationship with CardSystems and instructed the plaintiffs not to ask
for an overly broad release of information. Visa and MasterCard during
the Monday afternoon hearing accused the plaintiffs of asking for too
The information, such as contracts between the companies, should help
determine whether the credit card companies have responsibility under
California law to notify consumers whose personal details were exposed
in the CardSystems breach.
Visa, MasterCard, Merrick Bank and CardSystems were sued in June on
behalf of California credit card holders and card-accepting merchants.
The suit seeks to test a state law that requires consumer notification
after personal information stored on computers is lost, stolen or
The digital break-in at CardSystems was publicly disclosed by
MasterCard on June 17. Intruders got access to details on about 40
million credit cards. Visa and MasterCard maintain that notification
responsibility falls with the banks that issue credit cards because
they have direct relationships with the affected customers.
Kramer has said he wants to determine which defendants fall under
California civil code section 1798.82, the notification statute. While
it is clear that the breach was at CardSystems, the law applies to
entities that "own or license" personal information about
Plaintiffs in the case say the statute covers Visa, MasterCard,
CardSystems and Merrick, while defendants MasterCard, Visa and Merrick
have argued that the statute does not apply to them.
Another hearing in the case has been scheduled for Jan. 9.
InfoSec News v2.0 - Coming Soon!